Cisco 7604 Configuration Guide - Page 348
acl_name, interface_name, server_group
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 348 highlights
Configuring Authentication for Network Access Chapter 17 Applying AAA for Network Access Step 1 Step 2 Step 3 Using the aaa-server command, identify your AAA servers. If you have already identified your AAA servers, continue to the next step. For more information about identifying AAA servers, see the "Identifying AAA Server Groups and Servers" section on page 11-9. Using the access-list command, create an access list that identifies the source addresses and destination addresses of traffic you want to authenticate. For steps, see the "Adding an Extended Access List" section on page 13-6. The permit ACEs mark matching traffic for authentication, while deny entries exclude matching traffic from authentication. Be sure to include the destination ports for either HTTP(S), Telnet, or FTP in the access list because the user must authenticate with one of these services before other services are allowed through the FWSM. To configure authentication, enter the following command: hostname(config)# aaa authentication match acl_name interface_name server_group where acl_name is the name of the access list you created in Step 2, interface_name is the name of the interface as specified with the nameif command, and server_group is the AAA server group you created in Step 1. Note You can alternatively use the aaa authentication include command (which identifies traffic within the command). However, you cannot use both methods in the same configuration. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information. Step 4 (Optional) If you are using the local database for network access authentication and you want to limit the number of consecutive failed login attempts that the FWSM allows any given user account, use the aaa local authentication attempts max-fail command. For example: hostname(config)# aaa local authentication attempts max-fail 7 Tip To clear the lockout status of a specific user or all users, use the clear aaa local user lockout command. Step 5 (Optional) When a user authentication times out or you clear the authentication sessions using the clear uauth command, you can force any active connections to close immediately by entering the following command: hostname(config)# aaa authentication clear-conn interface_name source_ip source_mask Without this command, active connections are not terminated even though the user authentication session expired. For example, the following commands authenticate all inside HTTP traffic and SMTP traffic: hostname(config)# aaa-server AuthOutbound protocol tacacs+ hostname(config-aaa-server-group)# exit hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1 hostname(config-aaa-server-host)# key TACPlusUauthKey hostname(config-aaa-server-host)# exit hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq smtp hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq www hostname(config)# aaa authentication match MAIL_AUTH inside AuthOutbound 17-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01